The error message says to check:
See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
But I'm not 100% sure how to fix it.
I looked in /etc/default/intel-microcode and found this:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
# IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
# IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""
which I changed to this:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""
Previously, I turned off hyper threading in the BIOS and I also changed the settings in /etc/default/grub to this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash maxcpus=6"
As, I have six physical CPUs on my machine.
Note: Undo your previous edits to
/etc/default/intel-microcodeand/etc/default/grub.Mitigation control on the kernel command line
The kernel command line allows to control the MDS mitigations at boot time with the option “mds=”. The valid arguments for this option are:
If the CPU is vulnerable, enable all available mitigations for the MDS vulnerability, CPU buffer clearing on exit to userspace and when entering a VM. Idle transitions are protected as well if SMT is enabled.
It does not automatically disable SMT.
The same as mds=full, with SMT disabled on vulnerable CPUs. This is the complete mitigation.
Disables MDS mitigations completely.
sudo -H gedit /etc/default/grubChange:
To:
Save the file and quit
gedit.sudo update-grubrebootNote: Understand that you'll take a HUGE performance hit on multi-cpu or multi-core configurations.
Note: If the performance hit is too great, try
mds=fullinstead ofmds=full,nosmt.According to Intel's Security Advisor Bulletin in order to mitigate this issue you should update CPU microcode. This vulnerability was fixed by 20190514 update of microcode. You can check the current version of the package which installs microcode in your system with
dpkg -s intel-microcodecommand. If its number is greater, then you're OK.Also update your BIOS to the most recent version, but this step is vendor-specific. You can check recommendations for several vendors at Intel site here.
Both these steps together should mitigate this vulnerability in some cases. But if the output of
dmesg | grep 'data leak'still shows info about 'MDS CPU bug', then it wasn't mitigated fully. You can check bycat /sys/devices/system/cpu/vulnerabilities/mdswhich components of your system are still affected.In this case you should consider disabling Hyper-Threads completely. But be aware that this may cause performance penalty, as @heynnema mentioned in his answer.
Read Ubuntu KnowledgeBase Article which describes this vulnerability in details.
So there's no universal answer, it depends on use case. You can mitigate it at the cost of performance or leave it as is (Intel states that "practical exploitation of MDS is a very complex undertaking").